Increasing globalisation and the associated business transformation mean that enterprises are now complex networks dependent on nodes within other organisations as well as the nodes within the same organisation. This business transformation includes outsourcing, offshoring, restructuring, mergers and acquisitions, and value chain optimisation, and creates new technology risks such increasing third party providers, complex service interconnections, challenges of emerging markets, as well as intellectual property, liability and data sovereignty issues.

Boards members and executives feel that risk frameworks and processes and structures are no longer giving them the level of assurance they need. They see an increase in the speed and impact of risk events, and a reduction in their ability to identify and tackle new risks. Cost pressures from Boards feeling they are spending too much time and money running risk processes with limited effectiveness, means risk organisations are being driven to optimise headcount, rationalise infrastructure, and improve operating efficiency of their risk processes and technology. The majority of risk managers see efficiency as the strongest driver of future investment in risk management.

According to McKinsey & Co, technology is now involved in more than half of critical operational risks and cybersecurity spending (for example) is growing at three times the rate of the technology being secured. As risk increases, so controls increase to mitigate the risk, controls become more prescriptive (e.g. PCIDSS) and more dependent on the predictive model used.

From a risk practitioner perspective, we see fragmented risk governance and policy frameworks, a “hodge-podge” of non-scalable point solutions, spreadsheets and manual processes giving multiple views of risk and control, a shortage of qualified resources, and unclear business and technology ownership and accountabilities. The disparate systems cause confusion due to duplicated, opaque and contradicting information as well as a waste due to overlapping and inconsistent strategies, and policies, processes and systems that must be maintained.

Clearly, a transformation of the risk management function is needed alongside business transformation.